A Chrome VPN extension named FreeVPN.One, boasting over 100,000 installations and a “Featured” badge, was found to be secretly capturing screenshots of users’ browsing activity, according to a report by Koi Security.
The extension, rather than simply handling VPN traffic, was covertly capturing screenshots of every website visited, including sensitive information like bank logins, private photos, and confidential documents. These screenshots were then transmitted to servers under the control of the extension’s developer.
The method employed by FreeVPN.One involved incrementally adding Chrome permissions while disguising its actions as “AI Threat Detection.” This allowed the extension to operate as a constant background surveillance tool, contrary to the user’s expectation of enhanced privacy through VPN usage.
By exploiting Chrome’s <all_urls/> and scripting permissions, FreeVPN.One gained unrestricted access to every webpage a user opened. Koi Security researchers verified that the extension was capturing screenshots even on trusted sites such as Google Photos and Google Sheets. The developer claimed that these images were not stored but did not provide any evidence to support this assertion.
Several warning signs were present, indicating the potential risks associated with FreeVPN.One. These included poor grammar and poorly written descriptions, a generic Wix page serving as the sole developer “contact,” and a promise of unlimited, free VPN service without a discernible business model.
While some free VPNs may operate responsibly, many rely on alternative methods of monetization, potentially involving the sale of user data. This highlights the importance of scrutinizing the business practices of free VPN providers.
In response to Koi Security’s findings, the developer of FreeVPN.One offered a partial explanation, claiming that the automatic screenshot captures were part of a “background scanning” feature intended for suspicious domains only. The developer also stated that the images were not stored but only briefly analyzed for threats. However, researchers observed screenshots being taken on trusted sites like Google Photos and Google Sheets, which contradicted the developer’s explanation.
When asked to provide proof of legitimacy, such as a company profile, GitHub repository, or professional contact, the developer ceased communication. The only public link associated with the extension led to a basic Wix starter page.
Following the exposure of its activities, FreeVPN.One was removed from the Chrome Web Store. Attempts to access its page now display the message: “This item is not available.”
The removal of FreeVPN.One underscores a concerning gap in Chrome’s review process. The extension was able to operate with spyware-like behavior for an extended period while still carrying a verified label, raising questions about the thoroughness of Chrome’s review process for updates to featured extensions.
To protect against VPN extension spyware, users are advised to take the following steps: uninstall immediately any suspicious Chrome VPN extension like FreeVPN.One, use a trusted VPN with a proven track record, audited policies, and transparent operations, scan their device with strong antivirus software to check for hidden malware, change passwords assuming that anything typed or viewed could have been logged, use a personal data removal service to limit the potential for exploitation, and review the permissions requested by any extension before installation.
The FreeVPN.One incident serves as a reminder that “free” services often come at a hidden cost, which may involve compromising your data. Users should exercise caution and thoroughly vet extensions before installation, rather than assuming their safety based on popularity or badges. The incident highlights the need to carefully consider the trade-off between convenience and privacy when using free tools and to re-evaluate the true cost of “free” services.
